OCHA

2003-01-22 Thread Nancy Jones
I want to find the easiest method (that complies with the law) for
documenting an OCHA with our physicians.  Does this mean I need
individual written agreements between our hospital and each physician
with privileges? If so, is anyone willing to share a sample, as I can't
find one anywhere.  

Or can this be done by simply revising the Medical Staff Bylaws and
including a declaration that an organized health care arrangement exists
between the docs and the hospital, and that we have jointly designed a
NPP?

Some area hospitals are asking their docs to sign Confidentiality
Statements on top of everything else. This seems too much to me.

Any guidance will be greatly appreciated.
begin:vcard 
n:Jones;Nancy
tel;work:Nacogdoches Memorial Hospital
x-mozilla-html:FALSE
org:Nacogdoches Memorial Hospital
adr:;;1204 N. Mound Street;Nacogdoches;Texas;75961;
version:2.1
email;internet:[EMAIL PROTECTED]
title:Director of Compliance
fn:Nancy Jones
end:vcard



---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



Re: OCHA

2003-01-22 Thread Dawn Lenox
We are doing an Administrative Policy that the Med Exec Committee will
approve.  The policy states that they agree to abide by our Joint Notice of
Privacy Practices.  HIPAA does NOT require you to designate yourselves as
an OHCA, unlike Affiliated Entity status which does.  I believe that the
Privacy Reg defines a relationship that already exists and therefore you are
only left with finding a method of documenting that the medical staff
agree to abide by the joint notice.  To try and get them all to sign an
agreement sounds like a tracking nightmare to me.

- Original Message -
From: Nancy Jones [EMAIL PROTECTED]
To: WEDI SNIP Privacy Workgroup List [EMAIL PROTECTED]
Sent: Wednesday, January 22, 2003 8:54 AM
Subject: OCHA


 I want to find the easiest method (that complies with the law) for
 documenting an OCHA with our physicians.  Does this mean I need
 individual written agreements between our hospital and each physician
 with privileges? If so, is anyone willing to share a sample, as I can't
 find one anywhere.

 Or can this be done by simply revising the Medical Staff Bylaws and
 including a declaration that an organized health care arrangement exists
 between the docs and the hospital, and that we have jointly designed a
 NPP?

 Some area hospitals are asking their docs to sign Confidentiality
 Statements on top of everything else. This seems too much to me.

 Any guidance will be greatly appreciated.







---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions 
on this listserv therefore represent the views of the individual participants, and do 
not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If 
you wish to receive an official opinion, post your question to the WEDI SNIP Issues 
Database at http://snip.wedi.org/tracking/.   These listservs should not be used for 
commercial marketing purposes or discussion of specific vendor products and services.  
They also are not intended to be used as a forum for personal disagreements or 
unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org or send a blank email to 
[EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the 
address subscribed to the list, please use the Subscribe/Unsubscribe form at 
http://subscribe.wedi.org



RE: EMS and the NPP

2003-01-22 Thread Chris Brancato








Don,

I consult with some
of the nations largest Fire/EMS departments for HIPAA.

I advise several
different ways. Non-transports require a treat and release signature from a
patient.

A copy of NPP can
be printed on the back or separately, but they should make a reasonable
attempt to provide the NPP. What you dont say is how they are activated. If
they are activated via 911, this is an emergency response, not requiring an NPP
as the call is emergency, not routine, in nature.



I also advise
departments that do the billing to include the NPP in the billing statement,
just like the Credit Card companies do.



Hope that helps.



Chris Brancato



-Original
Message-
From: Ribelin, Donald
[mailto:[EMAIL PROTECTED]]
Sent: Tuesday, January 21, 2003
8:03 AM
To: WEDI SNIP Privacy Workgroup
List
Subject: RE: EMS and the NPP



An interesting question from our EMS HIPAA rep
yesterday: 



When EMS treats and transports an accident victim to
another hospital (one not part of our enterprise), should we give them a copy
of our NPP? One of the underlying
issues centers on our management of EMS in several counties. While most of the patients
involved end up at FirstHealth facilities (where they would receive a copy of
the NPP once their condition allowed), a significant minority are transported
to other hospitals. On first look my response is that the receiving facility
would be responsible for providing the patient with a copy of their NPP. But is that the case? I would like the groups comments,
opinions and citations re: the whole ems issue. I am also looking forward to OCRs clarifications on these
issues.





Donald L. Ribelin

HIPAA Project
Manager

Firsthealth of
the Carolinas

(910) 215-2668

[EMAIL PROTECTED]





---
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post your
question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.
These listservs should not be used for commercial marketing purposes or
discussion of specific vendor products and services. They also are not intended
to be used as a forum for personal disagreements or unprofessional
communication at any time.

You are currently subscribed to wedi-privacy as:
[EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at
http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as
the address subscribed to the list, please use the Subscribe/Unsubscribe form
at http://subscribe.wedi.org 




---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org






Business Associates

2003-01-22 Thread Traci Winter



Hey everyone, I know this topic has been hashed out like crazy but I find 
myself confused.

As a homecare agency we receive our business via referrals from health care 
facilities and MD offices. We are not providing services on behalf of these 
entities. It was my understanding that we wouldn't be considered BAs of these 
CEs but, due to receiving a BAC in the mail today, I find that I am now 
unsure…

Help….

Traci Winter
Hospitals Home Health Care, Inc.
Special Projects Coordinator, Privacy Official
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Alcohol and Drug Patient Privacy)

2003-01-22 Thread Vicki Hohner
I have been doing a lot of work with substance abuse programs and HIPAA,
and while not deeply familar with 42 CFR protections we have identified
that there are limited areas of overlap with HIPAA privacy. Many subject
to 42 CFR mistakenly believe that the fact that they comply with this
law, which is more stringent in its use and disclosure requirements,
means they are exempt from complying with HIPAA. However, note that
there are only a few overlaps between the two: primarily with uses and
disclosures/minimum necessary, authorizations, and some limited parts of
individual rights. This leaves a lot more under HIPAA that is not
addressed in 42 CFR--all the policies and procedures, the privacy
officer, business associate terms, the notice of privacy practices, and
accounting of disclosures, to name a few. Note also that the definitions
of what information is protected is broader under HIPAA than under 42
CFR. 

My understanding is that the feds (SAMHSA/CSAT) are working on a
comparison matrix between the two--no idea when that may be available.  

Vicki Hohner
FOX Systems, Inc.
360-970-6856
360-352-4584
Information transmitted is confidential and may be proprietary to FOX
Systems, Inc.  It is intended only for the person or entity to which it
is addressed.   Anyone else is prohibited from disclosing, copying, or
disseminating the contents or attachments.  If you receive this in
error, please notify sender immediately, or us at www.foxsys.com and
delete from your system.
 Darrell Rishel [EMAIL PROTECTED] 01/20/03 08:57 AM 
Matt-

I'll take a stab at answering your question. Please remember that in an
effort to keep it relatively brief, this is a fairly simplistic,
high-level
overview.

Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and
Other
Drugs)regs), disclosure within a program is allowed on a need-to-know
basis  without the consent of the patient. This internal disclosure is
limited to personnel having a need for the information in connection
with
their duties which arise out of the provision of diagnosis, treatment,
or
referral for treatment. In practice, I think this is very close to, if
not
the same as, the HIPAA use definition. Although the AOD regs do not
require a formal minimum necessary analysis, the concept of only
disclosing
the minimum amount of information necessary to accomplish the purpose
for
making the disclosure is clearly embedded in the regs.

It is the disclosure to external entities where, especially with the
adoption of the August, 2002, HIPAA changes, a wide gap remains between
the
two sets of regs. While HIPAA allows treatment providers to disclose PHI
for
treatment and payment (even another provider's payment) without the
patient's written consent, the AOD regs absolutely prohibit such
disclosures
related to payment, and disclosures for treatment (except for medical
emergencies) require that a written agreement be in place and that the
services which the external provider render be something different than
what
the primary provider is providing. This written agreement is known in
the
AOD regs as a Qualified Service Organization Agreement (QSOA, for
short). A
QSOA is akin to a BA agreement, though much shorter and less
complicated,
charachteristics which are, unfortunately, soon to be a thing of the
past.
While a QSOA can be used in limited circumstances for treatment (the
biggest
problem is that we cannot have one with another AOD provider), its most
common use is for operations, just as the HIPAA BA agreement will be
used
(e.g., we have a QSOA with our auditor, or outside attorneys, the
company
which prints and sends out our bills, the lab which analyzes the urine
specimens we collect, etc.). But, if we want to be able to bill an
insurance
company or any other third party payer, we have to have the patient's
written consent (in fact, we cannot even call to get pre-authorization
without written consent; how's that for customer friendly?). If we want
to
refer the patient to another health care provider, of whatever type, or
consult with another provider (like their primary care provider) who has
seen the patient, we must have the patient's written consent unless the
situation fits within the pretty narrow exception where a QSOA can be
used
and we have (or can get) one in place (the logistics and pain of trying
to
get a QSOA with all of those providers, which make doing so pretty
impracticle). The requirements in the AOD regs for a valid written
consent
are very similar to those for a HIPAA authorization: who is disclosing
the
information, to whom is the information being disclosed, what
information is
being disclosed and why is it being disclosed, there must be a
reasonble,
identifiable expiration date, the patient must be able to revoke the
consent
at any time (one specific exception here for persons referred by an
element
of the criminal justice system where treatment is a part of the
disposition), the name of the patient, the patient's signature and the
date

Re: Business Associates

2003-01-22 Thread Doug Webb



Traci,
It looks to me like someone's trying to cover 
all bases with a shotgun approach (run it up the flagpole and see who 
salutes).

My understanding is that you wouldn't need a 
BAC any more than a surgeon's office needs one with a Primary Care Physician 
referring a patient to them. This is Covered Entity to Covered Entity for 
the purposes of Treatment.

The opinions expressed here are my own and not necessarily the opinion of 
LCMH.

Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital  Health Care Centers[EMAIL PROTECTED]

"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s) named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately, 
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."



  - Original Message - 
  From: 
  Traci Winter 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, January 22, 2003 12:47 
  PM
  Subject: Business Associates
  
  Hey everyone, I know this topic has been hashed out like crazy but I find 
  myself confused.
  
  As a homecare agency we receive our business via referrals from health 
  care facilities and MD offices. We are not providing services on behalf of 
  these entities. It was my understanding that we wouldn't be considered BAs of 
  these CEs but, due to receiving a BAC in the mail today, I find that I am now 
  unsure…
  
  Help….
  
  Traci Winter
  Hospitals Home Health Care, Inc.
  Special Projects Coordinator, Privacy Official---The WEDI SNIP 
  listserv to which you are subscribed is not moderated. The discussions on this 
  listserv therefore represent the views of the individual participants, and do 
  not necessarily represent the views of the WEDI Board of Directors nor WEDI 
  SNIP. If you wish to receive an official opinion, post your question to the 
  WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs 
  should not be used for commercial marketing purposes or discussion of specific 
  vendor products and services. They also are not intended to be used as a forum 
  for personal disagreements or unprofessional communication at any 
  time.You are currently subscribed to wedi-privacy as: 
  [EMAIL PROTECTED]To unsubscribe from this list, go to the 
  Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email 
  to [EMAIL PROTECTED]If you need to unsubscribe 
  but your current email address is not the same as the address subscribed to 
  the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




to sign or not to sign

2003-01-22 Thread Traci Winter



OK so the next question is do we sign these BACs or just put them in the 
round file. Your answers reflected what my impression was, but I wanted 
reinforcement.

Thanks,
Traci Winter
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




Re: to sign or not to sign

2003-01-22 Thread Doug Webb



Traci,
My vote's for the round file.
Any lawyers out there feel free to chime 
in.

The opinions expressed here are my own and not necessarily the opinion of 
LCMH.

Douglas M. WebbComputer System EngineerLittle Company of Mary 
Hospital  Health Care Centers[EMAIL PROTECTED]

"This electronic message may contain information that is confidential 
and/or legally privileged. It is intended only for the use of the individual(s) 
and entity(s) named as recipients in the message. If you are not an 
intended recipient of the message, please notify the sender immediately, 
delete the material from any computer, do not deliver, distribute, or copy this 
message, and do not disclose its contents or take action in reliance on the 
information it contains. Thank you."



  - Original Message - 
  From: 
  Traci Winter 
  
  To: WEDI SNIP Privacy Workgroup List 
  
  Sent: Wednesday, January 22, 2003 02:49 
  PM
  Subject: to sign or not to sign
  
  OK so the next question is do we sign these BACs or just put them in the 
  round file. Your answers reflected what my impression was, but I wanted 
  reinforcement.
  
  Thanks,
  Traci Winter---The WEDI SNIP listserv to which you are 
  subscribed is not moderated. The discussions on this listserv therefore 
  represent the views of the individual participants, and do not necessarily 
  represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish 
  to receive an official opinion, post your question to the WEDI SNIP Issues 
  Database at http://snip.wedi.org/tracking/. These listservs should not be used 
  for commercial marketing purposes or discussion of specific vendor products 
  and services. They also are not intended to be used as a forum for personal 
  disagreements or unprofessional communication at any time.You are 
  currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from 
  this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org 
  or send a blank email to [EMAIL PROTECTED]If you 
  need to unsubscribe but your current email address is not the same as the 
  address subscribed to the list, please use the Subscribe/Unsubscribe form at 
  http://subscribe.wedi.org 
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/.   These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services.  They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-privacy as: archive@mail-archive.com
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org




RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2 (Al cohol and Drug Patient Privacy)

2003-01-22 Thread Darrell Rishel
You are absolutely correct that there is much in HIPAA than what is in 42
C.F.R. Part 2. Isn't it nice that SAMHSA et al are being so timely with
their assistance? The Legal Action Center, a well-known, well-respected
non-profit based in New York that has done a lot of work in interpreting 42
C.F.R. Part 2, is also supposed to be coming out with a cross-walk
supplement, but if people are not already working on this, well ... If
anyone is interested, I can give you contact information for the Legal
Action Center.

Darrell Rishel, J.D. 
Director of Information Services 
Arapahoe House, Inc. 
This message is not legal advice or a binding signature.


 -Original Message-
 From: Vicki Hohner [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, January 22, 2003 12:13 PM
 To: Darrell Rishel; [EMAIL PROTECTED]
 Subject: RE: HIPAA privacy and people - comparison to 42 C.F.R. Part 2
 (Alcohol and Drug Patient Privacy)
 
 
 I have been doing a lot of work with substance abuse programs 
 and HIPAA,
 and while not deeply familar with 42 CFR protections we have 
 identified
 that there are limited areas of overlap with HIPAA privacy. 
 Many subject
 to 42 CFR mistakenly believe that the fact that they comply with this
 law, which is more stringent in its use and disclosure requirements,
 means they are exempt from complying with HIPAA. However, note that
 there are only a few overlaps between the two: primarily with uses and
 disclosures/minimum necessary, authorizations, and some 
 limited parts of
 individual rights. This leaves a lot more under HIPAA that is not
 addressed in 42 CFR--all the policies and procedures, the privacy
 officer, business associate terms, the notice of privacy 
 practices, and
 accounting of disclosures, to name a few. Note also that the 
 definitions
 of what information is protected is broader under HIPAA than under 42
 CFR. 
 
 My understanding is that the feds (SAMHSA/CSAT) are working on a
 comparison matrix between the two--no idea when that may be 
 available.  
 
 Vicki Hohner
 FOX Systems, Inc.
 360-970-6856
 360-352-4584
 Information transmitted is confidential and may be proprietary to FOX
 Systems, Inc.  It is intended only for the person or entity 
 to which it
 is addressed.   Anyone else is prohibited from disclosing, copying, or
 disseminating the contents or attachments.  If you receive this in
 error, please notify sender immediately, or us at www.foxsys.com and
 delete from your system.
  Darrell Rishel [EMAIL PROTECTED] 01/20/03 08:57 AM 
 Matt-
 
 I'll take a stab at answering your question. Please remember 
 that in an
 effort to keep it relatively brief, this is a fairly simplistic,
 high-level
 overview.
 
 Under 42 C.F.R. Part 2 (which I'll refer to as the AOD (Alcohol and
 Other
 Drugs)regs), disclosure within a program is allowed on a 
 need-to-know
 basis  without the consent of the patient. This internal 
 disclosure is
 limited to personnel having a need for the information in connection
 with
 their duties which arise out of the provision of diagnosis, treatment,
 or
 referral for treatment. In practice, I think this is very 
 close to, if
 not
 the same as, the HIPAA use definition. Although the AOD regs do not
 require a formal minimum necessary analysis, the concept of only
 disclosing
 the minimum amount of information necessary to accomplish the purpose
 for
 making the disclosure is clearly embedded in the regs.
 
 It is the disclosure to external entities where, especially with the
 adoption of the August, 2002, HIPAA changes, a wide gap 
 remains between
 the
 two sets of regs. While HIPAA allows treatment providers to 
 disclose PHI
 for
 treatment and payment (even another provider's payment) without the
 patient's written consent, the AOD regs absolutely prohibit such
 disclosures
 related to payment, and disclosures for treatment (except for medical
 emergencies) require that a written agreement be in place and that the
 services which the external provider render be something 
 different than
 what
 the primary provider is providing. This written agreement is known in
 the
 AOD regs as a Qualified Service Organization Agreement (QSOA, for
 short). A
 QSOA is akin to a BA agreement, though much shorter and less
 complicated,
 charachteristics which are, unfortunately, soon to be a thing of the
 past.
 While a QSOA can be used in limited circumstances for treatment (the
 biggest
 problem is that we cannot have one with another AOD 
 provider), its most
 common use is for operations, just as the HIPAA BA agreement will be
 used
 (e.g., we have a QSOA with our auditor, or outside attorneys, the
 company
 which prints and sends out our bills, the lab which analyzes the urine
 specimens we collect, etc.). But, if we want to be able to bill an
 insurance
 company or any other third party payer, we have to have the patient's
 written consent (in fact, we cannot even call to get pre-authorization
 without written consent; how's that for customer friendly?).